SEPTEMBER 2022 • VOL 2, ISSUE 63 • $9 95 • www sdtimes com
dtSearch.com 1-800-IT-FINDS The Smart Choice for Text Retrieval® since 1991 dtSearch’s document filters support: popular file types emails with multilevel attachments a wide variety of databases web Developers:dataandrecent .NET (through .NET 6) Visit dtSearch.com for developer evaluations efficient multithreaded search forensics options like credit card search InstantlyTerabytesSearch® ADVERTISING SALES CUSTOMER SERVICE EDITORIAL www.sdtimes.com EDITOR-IN-CHIEF David Rubinstein drubinstein@d2emerge com NEWS EDITOR Jenna Sargent Barron jsargent@d2emerge com MULTIMEDIA EDITOR Jakub Lewkowicz jlewkowicz@d2emerge com SOCIAL MEDIA AND ONLINE EDITOR Katie Dee kdee@d2emerge com ART DIRECTOR Mara Leonardi mleonardi@d2emerge com CONTRIBUTING WRITERS Jacqueline Emigh, Elliot Luber, Caryn Eve Murray, George Tillmann CONTRIBUTING ANALYSTS Enderle Group, Gartner, IDC, Intellyx SUBSCRIPTIONS subscriptions@d2emerge com ADVERTISING TRAFFIC Mara Leonardi mleonardi@d2emerge com LIST SERVICES Jessica Carroll jcarroll@d2emerge.com REPRINTS reprints@d2emerge com ACCOUNTING accounting@d2emerge com PUBLISHER David Lyman 978 465 2351 dlyman@d2emerge.com MARKETING AND DIGITAL MEDIA SPECIALIST Andrew Rockefeller arockefeller@d2emerge com PRESIDENT & CEO David Lyman CHIEF OPERATING OFFICER David Rubinstein D2 EMERGE LLC www d2emerge com
NEWS 4 News Watch 10 Why the web framework hype train is always moving 12 New Relic introduces integrations with Jira 12 Codefresh makes GitOps more accessible with Argo service Contents page 6 Software Development Times (ISSN 1528 1965) is published 12 times per year by D2 Emerge LLC, 2 Roberts Lane, Newburyport, MA 01950 Periodicals postage paid at Newburyport, MA, and additional offices SD Times is a registered trademark of D2 Emerge LLC All contents © 2022 D2 Emerge LLC All rights reserved The price of a one year subscription is US$179 for subscribers in the U S , $189 in Canada, $229 elsewhere POSTMASTER: Send address changes to SD Times, 2 Roberts Lane, Newburyport, MA 01950 SD Times subscriber services may be reached at subscriptions@d2emerge com FEATURES The project management task you (almost) never complete page 14 DevOps Feedback Loop Explained: Noisy Feedback The role of UI/UX testing in customer satisfaction page 18 Security and integration are key concerns for API management VOLUME 2, ISSUE 63 • SEPTEMBER 2022 BUYERS GUIDE COLUMNS 22 GUEST VIEW by Mark Nunnikhoven Is low-code a security risk? 23 ANALYST VIEW by Bill Holz 12 essential skills for agile devs page 8
C D P O n e p rov i d es Ze ro Ops functionality that enables easy self service analytics on any type of data and reduces TCO by 20% to 35% when including initial set up and operations of platform ops, sec ops and support, versus DIY cloud solutions, according to Cloudera in a post Infragistics Ultimate 22.1 released This release is intended to improve, streamline, and mod ernize app building with added features, capabilities, and UI co nt ro l s, b ette r d es i g n a n d development processes, and a
The productivity tools compa ny, J e t B ra i n s, re ce n t l y announced that its complete platform for software develop ment, Space, is now available o n p re m i ses i n b e ta Th i s offering comes with Docker Co m p ose a n d Ku b e r n e tes installation options Space brings users an all in one platform that covers G i t h ost i n g , co d e rev i ew, CI/CD, package repositories, i ss u e t ra c k i n g , d o c u m e n t s, and chats
The service has built in enterprise security and machine learning that requires no security or monitoring oper ations staff, helping companies move to cloud computing for analytics and data
n Veronica Curran is SmartBear’s new Chief People & Culture Officer, and will be utilizing her back ground in Diversity, Equity, and Inclusion (DEI) to build an inclusive culture at SmartBear and improve acquisition and onboarding. She comes most recently from Alumni Ventures where she was Chief People Officer.
Cloudera launches Data Platform One C l o u d e ra a n n o u n ce d t h e launch of Cloudera Data Plat form (CDP) One, an all in one data lakehouse software for analytics and exploratory data science
n Stuart McClure has been named the new CEO of ShiftLeft He has over 30 years of experience in security, and will use this experience to drive growth for the company and advance AI/ML in the DevSec Ops market Previously he was CEO and founder of Cylance, which Blackberry acquired in 2019 n NS1 has appointed Emily Nerland as its new head of global sales. She will be focused on working to bring awareness to the company’s products world wide and explain to companies how NS1 solutions can solve current and future infrastructure problems. She was previously the managing director of EMEA at Masergy.
Four tracks will be includ ed in the hackathon as areas to d eve l o p i d e a s a ro u n d : c y b e rse c u r i ty, i nfo r m a t i o n hyg i e n e, a n d m e d i a wa rs ; mental health, kids education, and logistics in war. According to Sigma Soft ware, the hackathon will have three winners at the end, and they will be able to implement t h e i r i d e a s w i t h a ss i sta n ce from investors and mentors Microsoft Dev Box enables on-demand workstation creation The managed service enables d eve l o p e rs to c re a te “o n d e m a n d , h i g h p e r fo r m a n ce, se c u re, rea d y to co d e, p ro j e c t s p e c i f i c wo r ksta t i o n s i n the cloud,” the company said U se rs ca n s i g n i nto t h e Azure portal and search for dev box to begin creating dev boxes for their organization Dev Boxes are ready to code and pre configured by the team with all the tools that developers need Devel opers can also create their own dev boxes whenever they need to switch between proj ects, experiment on a proof of concept, or start a full build in the background Dev Box suppor ts any developer IDE, SDK, or tool that runs on Windows It also supports building cross plat form apps because of Windows Subsystem for Linux and Win dows Subsystem for Android JetBrains Space now available on-premises
Cross-European “Hack for Peace” hackathon announced Swedish Ukrainian software company Sigma Software Group has teamed up with Tech Nation to host a hackathon called Hack for Peace through out Europe aimed at building tech solutions for solving issues related to war and promoting peace throughout the region. The hackathon will take place from October 21 23 in U k ra i n e, t h e U K , Swe d e n , Poland, and Portugal. Hack for Peace participants will be able to co n n e c t o n l i n e t h ro u g h te l e co nfe re n c i n g o p t i o n s i n o rd e r to exc h a n g e i d e a s across country borders, the companies explained.
The 2022 update also includes a new hierarchy design for drivers where each driver will now get a JSON document with details on how to build cus tom connection dialog UIs
Finally, based on customer feedback and interest, CData d e c i d e d to d e p re ca te t h e M u l e S of t Co n n e c to rs a n d BizTalk Adapters, but will still s u p p o r t co n n e c t i v i ty f ro m these platforms
4
On top of this, users gain access to a remote develop ment toolset and native inte gration with JetBrains IDE According to the company, Space is customizable and can be extended to meet the spe cific needs of any company in the industry It also works to eliminate context switching by s i m p l i fy i n g t h e d eve l o p e r ’s wo r k a n d l e a d i n g t h e m to focus on their tasks with mini mal distractions CData brings out 2022 updates to solutions
N E W S WATC NH E W S WATC H SD Times September 2022 www.sdtimes.com
People on the move
The data connectivity compa ny CData has announced the 2022 release of its drivers and co n n e c t i v i ty so l u t i o n s, a n d the update comes packed with features F i rst, i t a n n o u n ce d t h e addition of several new data so u rces, i n c l u d i n g A l l oy D B , Azure Active Directory, Mon day com, Neo4j, Oracle ERP, Oracle HCM, Oracle Service C l o u d , O u t re a c h , P i p e d r i ve, Re c ko n Acco u n t s H oste d , Salesloft, and Zoho Projects The company also an nounced that its UI for ODBC Drivers now includes tabs in the connection dialog boxes that allow information to be pre viewed, which means that users won’t have to relaunch the dia log box to see that information
To make charts more easy to use, GitHub Projects enables configuring and tracking cycle velocity, current work status, a n d co m p l ex v i s u a l i za t i o n s like cumulative flow diagrams
In addition, the company has introduced several platform updates such as:
l Omniverse Audio2Face: An AI tool with the ability to create facial animations straight from an audio file and infer and generate realistic emotions
l Omniverse Machinima: Several new, free 3D assets from Post Scriptum, Beyond the Wire, and Shadow Warrior 3 games, as well as a suite of new AI animation tools
Microsoft introduces Windows Community Toolkit Labs
The new “Labs” repository will hold discussions about new items and development along with initial ‘experiments’ that will each represent a new com ponent (or set of related com ponents) that will begin its journey from an initial imple mentation to a well tested fea ture working through a defined set of criteria and quality gates along the way With Windows Community Toolkit Labs, users can make changes in Labs, try out new ideas, and not have to worry about having code needing to be ‘shippable’ in order to make its way to the repository. With this, the company can more easily gather feedback from developers, collaborate with users on the component, tests, and documentation, and re d u ce t h e ove r h e a d o n reviewing monolithic PRs Quality gates can then be abstracted as a part of this p ro cess a n d i n c re m e n ta l l y review and move components from the prototyping stage towards a production quality component
www.sdtimes.com September 2022 SD Times
According to the company, with this expansion, users gain access to new AI powered tools and features that offer artists, developers, and engineers the power to construct virtual worlds and content easier than ever This release also works to help users more easily connect to 3D applications such as PTC Creo, SideFX Houdini, Unity, and solutions from the Siemens Xcelerator platform
NVIDIA announces major release of Omniverse
l Omniverse Kit: New OmniLive Workflows brings an overhaul of USD based collaboration in Omniverse that offers increased speed and performance to multiple app 3D workflows
l Omniverse DeepSearch: Omniverse Enterprise customers can utilize AI to intuitively and accu rately search through large untagged 3D asset databases of visuals using nature language.
Over the next two quarters, GitHub said it will focus on the co nt i n u o u s i m p rove m e nt of the day to day scenarios. This includes adding parent child, d u p l i ca te, d e p e n d o n , a n d block relationships in issues and projects to keep everyone aligned, new automation capa bilities with custom triggers, conditionals, and action logic.
5 st rea m l i n e d a n d i nte ra c t i ve data visualization experience. Among the new enhance ments is improved design to code features and capabilities in App Builder, such as Swag ger UI support, localhost data a ccess, b u s i n ess c h a r ts, 1 5 screen layouts, new UI kits in the design system, and new add ons in the App Builder toolboxUpdated UI kits and new co nt ro l s i n A n g u l a r, Bl a zo r, React, and Web Components, new themes, and Angular Piv ot Grid and Blazor DockMan a g e r a re a l so i n c l u d e d i n Infragistics Ultimate 22.1.
The team at Microsoft recent ly announced that the Win dows Community Toolkit Labs is now the primary way that the company will be develop ing new features for Windows Co m m u n i ty To o l k i t I t i s i n te n d e d to a c t a s a s a fe space for collaboration and e n g i n e e r i n g so l u t i o n s f ro m the prototyping stage all the way t h ro u g h p o l i s h e d a n d finalized components According to Microsoft, t h e Wi n d ows Co m m u n i ty Toolkit Labs will make it easier for users to contribute to the toolkit, try out new features still in development, and coop erate together on the devel opment process
“The metaverse is a multi trillion dollar opportunity that organizations know they can’t ignore, but many struggle to see a clear path forward for how to engage with it,” said Rev Lebaredian, VP of Omniverse and simulation technology at NVIDIA “NVIDIA Omniverse closes the gap between the physical and virtual worlds, and these new tools, technologies and collaborations make it possible to leap into the 3D internet today ” A key element of this expansion is the launching of NVIDIA Omniverse Avatar Cloud Engine, a suite of AI models and services made for building and deploying lifelike virtual assistants and digital humans.
GitHub Projects is now available to group issues GitHub announced the gener al availability of the new Proj e c t s p owe re d by G i t H u b Issues. The new version con nects planning directly to the work that teams are doing on GitHubThe new GitHub Projects enables users to group and pivot their issues by stage, pri ority, status, assignee, or any custom field Users can also define prior ities, labels, assignees, OKRs, reviewers, QA stages, and oth er concepts with a type sys te m t h a t a d a p t s to u se rs’ processes and workflows
NVIDIA, the company known for designing and manufacturing GPUs, announced a new range of developer frameworks, tools, apps, and plugins for its platform for building and connecting Metaverse worlds based on Universal Scene Description (USD), NVIDIA Omniverse
A new timeline layout will sup port group by to quickly seg ment the work by team, initia tive, or product line A GitHub Mobile experience will also be available. z
The James Webb Space Telescope is the largest optical space telescope ever built. It is designed to see back more than 13 billion years to the dawn of the universe. While the telescope’s functionality is meeting if not exceed ing expectations, the project cost more than 10 times what it was originally expected to cost and came in 14 years late The Webb team learned what IT has long known the bane of project management is estimating Flip a coin a hundred times and half the time it will come up heads and half the time it will come up tails Project estimates (effort, time, and cost)? well that’s a different story Antidotal information is that project managers are more than five times as likely to underestimate effort, time, or cost than overestimate them Why do we under estimate so often? Well, perhaps it is in our genes If we ignore for the moment evolutionary biology, genetics, neuro science, neuroepigenetics, phylogeny, phrenology, not to mention the Hardy Weinberg principle, we see how under estimation is an evolutionary advantage for our species. How many times have you said that if you knew how hard it was going to be to do something you never would have undertaken it? If T h o m a s E d i s o n k n e w h o w h a r d i t would be to invent the light bulb would he have tried? Had the U S Congress known what the Webb telescope would eventually cost would they have funded it? Underestimating is a tremendous advantage for our species, for it allows the creation/discovery of things that rational minds avoid However, while some evolutionary traits are an advantage for the species, they can be a disaster for the individu als of that species. For example, salmon swimming upstream to spawn is good for the salmon species, but the individ ual fish does not survive the journey. And the praying mantis who eats her mate well let’s not even go there. Similarly, while underestimating might be essential for the human species to advance, it can play havoc for the indi vidual, such as a project manager
SD Times September 2022 www sdtimes com6
This article is adapted from his book, Project Management Scholia: Recognizing and Avoiding Project Management’s Biggest Mistakes (Stockbridge Press, 2019) He can be reached at georgetillmann@gmx com
T h e r e i s o n l y o n e p r a c t i c a l
The reality of the situation is that whatever you do, you might be destined, perhaps by some aberrant gene, to underestimate the effort required to build your system This is the estimation conundrum The systems development Kobayashi Maru The no win scenario workaround for this genetic peculiarity needs frequent, timely, and accurate George Tillmann is a retired programmer/analyst, project manager, and CIO
The Project Management Task You (Almost) Never Complete BY G EO R G E T I L L M A N N
f e e d b a c k T h e p r o j e c t m a n a g e r
feedback as to the quantity and quality of all functionality produced along with the time and cost it took to produce it (See “Planning for the Perfect,” March 2020). With constant feedback the proj ect manager can finally overcome his or her genetic destiny. The number one source for understanding the scope of actual project deliverables and their costs is the post project review (PPR) The project’s PPR is a chapter in the project manager ’ s and IT’s history book It provides necessary feedback so that the project manager can continually learn and improve project management skills It can also play a valuable learn ing tool for other project managers, or would be project managers, as to what to do, what not to do, and what to avoid like the plague
continued on page 9 >
If user management refuses to fund the PPR then the project manager should encourage IT to foot the bill It might take some selling (See “Half of Managing is Selling,” November 2020) but if the project manager focuses on the benefits to IT, all might turn out well. If IT doesn’t have the funds to pay for the PPR directly, then IT might consider the cost of the PPR a project overhead item and bundle it into IT’s daily billing rate 2. Positives and negatives. This is not summer camp where every kid gets a trophy Lay out what went well but also point out what could have been done better Do not defend what is not defensible If IT management failed to have needed developers or develop ment tools available on time, say it If user management never provided the promised space the team needed, say it If the project manager miscalculated testing time, ‘fess up (Don’t worry about retaliation When was the last time a user or IT management volun tarily read a project team deliverable?)
However, this is only possible if a robu s t and truthful PPR exists Many PPR tasks are included in initial project plans but they are eaten up by the two PPR enemies: poor project planning and scope creep. Once the project man ager discovers that schedules or costs will likely overrun the plan, then the hunt is on for the tasks that can be sac rificed. The PPR is often the first. The 20 person day PPR is cut to 10 days, then five days, and then completely eliminated in an IT sleight of hand
The Internet is awash with PPR templates and sample reports free for downloading You need only pick one and follow it They all look a bit differ ent, but the differences are largely unimportant if they include a tradition al mathematical look at schedules, staff effort, costs, deliverables, etc as well as two additional critical components The first is lessons learned, a review of the project’s successes and failures This section is the lynchpin for any hope for future project managers to learn from the experiences of those who went b e f o r e t h e m T h e p r o j e c t m a n a g e r should detail what worked, what didn’t work, and why All subjects are fair game including tools, techniques, staff ( u . s . e r a n d I T ) , p r o d u c t i v i t y, u . s . e r a v a i l a b i l i t y, v e n d o r s , t e s t i n g i s s u e s , working conditions (office space, tech nical resources, pizza delivery, etc.), and even those moments of brilliance as well as the mistakes made by the project manager
The second critical component is recommendations for future systems development projects, where the proj ect manager speaks to future project managers (or his or her future self), detailing what future project managers should look for and what they should do differently Think of Dear Abby giving lovelorn advice, only here the advice is for the managers of future projects
www.sdtimes.com September 2022 SD Times 7
3. Be honest and objective. There is no sense in going through the effort of a PPR if it becomes a puff piece (just the good things) or thin soup (a two page Hallmark card congratulating the team) Remember all those times you went home frustrated and kicked the dog? This is the opportunity to explain those vet bills, cleanse the soul of the disappointments with being a systems developer, and help the next project’s team members with better canine rela tionships Honesty is particularly needed in understanding project productivity Accounting can give you an accurate “dollars spent” (cost) on the project, and HR the staff hours consumed (effort), both of which might be the only num
There are a few critical success fac tors for a good PPR 1. Bundle the PPR into the proj ect plan. The best way a project man ager can increase the chances of a decent PPR is to bundle the review (including its schedules and costs) into the project plan Some u s er managers might balk at paying for a PPR Telling one user organization that they are being billed for a task that might only benefit another user organization is often a non starter If the PPR is a s e a m l e s s p a r t o f I T ’ s d e v e l o p m e n t methodology, then it might very well pass user scrutiny If it becomes an issue with user management, then the project champion might be useful in convincing the user of the value and importance of a robust PPR (See “Pro jects, Politics, and Champions,” March 2022)
To justify such a change from a financial point of view, first of all, she needed to calculate how much the production BY PAVEL AZALETSKIY AND JACK MAHER SECOND OF FOUR PARTS Feedback Loop Explained:
SD Times September 2022 www.sdtimes.com8
As you may recall from Part One, Alice joined the company to work on a digital product, with the specific goal to accelerate delivery. The engineering team was relatively small, about 50 engineers, with three cross-functional teams of 6 engineers, shared services for data, infrastructure, and user acceptance testing (UAT). Analysis showed that the largest amount of time spent in the product delivery process was spent in testing after code development was completed.
Noisy Feedback
DevOps
•Trust in automated tests deteriorated: the engineering team didn’t look at automated tests results
•The shared team focused on firefighting, most likely because no one addressed environment consistency early in the•Collaborationprocess issues among teams due to capacity constraintsAlice proposes to fix such an issue with fragile and inaccurate quality feedback from nightly regression. She suggested gradually reducing the number of failed tests and blocking further development unless the threshold is achieved. Given the initial start of 25% (250 failed tests) it might be reasonable to set the target of 20% and then, with a 3% increment, go down to 2-3% of allowed failed tests. Therefore, for a specific period, the product team would allocate some % of capacity to address this "quality debt" and refactor tests, fix infrastructure, or address data issues affecting test results. She also proposed for the transition period to dedicate one DevOps and one data person per team for at least a sprint to ensure the teams can challenge the status quo with appropriate domain expertise. As an outcome, she expected to reduce the number of production incidents that distracted all groups.
Feedback is routinely requested and occasionally considered. Using feedback and doing something with it is nowhere near as routine, unfortunately. Perhaps this has been due to a lack of a practical application based on a focused understanding of feedback loops, and how to leverage them.
We’ll look at Feedback Loops, the purposeful design of a system or process to effectively gather and enable data-driven decisions; and behavior based on the feedback collected. We’ll also look at some potential issues and explore various countermeasures to address things like delayed feedback, noisy feedback, cascading feedback, and weak feedback. To do this, we’ll follow newly onboarded associate Alice through her experience with this new organization which needs to accelerate organizational value creation and delivery processes.
•Quality degradation since there were actual defects to be addressed, but they were hidden under the noise.
Our previous story was devoted to delayed feedback. Today let’s look at what noisy feedback means for the speed of digital product delivery.
Such a situation had several adverse consequences:
Alice learned that the team has an automated regression suite that runs every night (4 hours) and always has about a 25% failure rate for 1,000 tests. Some engineers even tried to fix these issues, but they didn’t have time because of the release deadline and feature development priority, so no one had done anything substantial about it. To keep the ball rolling and continue feature development, it was customary to skip results and move forward. It was easy to close your eyes to the small noise/failed tests especially if you know that the test failure is not a product defect but a test defect. Indeed, it would be great if automated regression had found defects as it was supposed to do. Instead, failed tests signaled environmental issues in which tests are executed. The typical issues were network latency leading to the timeout services, wrong version of the components the product is integrating with, network access issues, wrong libraries on the server to run the application, the database was corrupted data, etc. To investigate and discern the root cause of the failed tests’ actual defect from environment misconfiguration or malfunction, the engineering team needed to dedicate a significant amount of time given the accumulated volume. And as you might suspect, most of the environmental issues were under the control of the infrastructure team and the data team. These teams were focused on the production environment being focused on firefighting, keeping a small capacity to support product delivery. As you can imagine, it was hard to find a common language for these three groups since all of them were independently responsible for their piece of value delivery but didn’t recognize the importance of working together on every value increment.
The Little Book of Big Mistakes and How to Avoid Them
< continued from page 7
e e d 5 6 r e l e a s e
Available on Amazon Project Management Scholia focuses on the 17 most consequential reasons IT projects fail and presents ways the project manager can avoid these problems by reading the danger signs and taking timely corrective action The book dives into the often painful lessons learned not from the library or the classroom but from the corporate trenches of real world systems development.
• Post production release stabilization costs typically average one engineering team being focused over a couple of days to fix as well as the infrastructure and database team The last reporting period had three days, with six engineers from the product team and two engineers each from infrastructure and database Total ten engineers for three days Over the past few releases this has been about 120 full time engineering days And required investment • Three teams allocated 10% of their capacity to address these issues, which is about two engineers per release Giv en initial coverage of 25% they might n s o s t a b i l i z e t h e regression suite. So it is about 12 full time engineering days.
To summarize this story, we would emphasize the importance of a feed back loop frame when you optimize digital product delivery In addition to the short time to get feedback, feed back accuracy also plays a vital role in ensuring the speed of delivery z bers that senior management cares about However, for understanding pro ductivity, both of these numbers are meaningless without also considering the work completed (the fully developed and tested functionality of the system)
As you can see, the cost implications of leaked defects because of the fragile environment were substantially more than the required investment of 120 full time engineers vs 12 days. Therefore, after discussion with the product manag er, she got approval to start fixing the noisy feedback and improve its accuracy and value for the engineering team
Alice’s story didn’t end here, she also investigated several other issues known as cascaded feedback and weak feed back We will unfold these terms in the following stories
www.sdtimes.com September 2022 SD Times 9 deployment and post deployment inci dents cost to address, and also calculate the average cost of a defect in produc tion (It might be the revenue loss and/or labor costs to fix the issue) Since her proposal is temporary and the release production issues are continu ous, it was easy to quickly confirm, and gain quick benefit Let us take a look at the numbers: • Revenue loss because of defects varied from $100 per minute to $1,000 per minute because of reputational consequences. Last year ’ s loss was esti mated as half the cost of one full time engineer (FTE).
t
If functions were eliminated or their usefulness reduced, if testing was abbre viated, or if documentation was short changed, and these changes are not tak en into account when calculating productivity, then a false number will emerge, the cycle of poor and inaccurate feedback will continue, and any hope of project managers learning from their experiences will evaporate. Ensure that the actual functionality delivered is the basis of any PPR 4. Include many inputs and many comments from many people. The PPR is not the project manager ’ s oppor tunity to settle scores Every team mem ber, IT and user, IT management and user management, should have the opportunity to add his or her comments and rants to the PPR However, the PPR is not a social media blog There should be an “official” opinion penned by the project manager However, just as the U S Supreme Court might have a minor ity opinion accompanying the opinion of the majority, there should be an opportu nity and place in the PPR for those who disagree with the project manager ’ s con clusions to post their opinion There are four important PPR takeaways:
1. Unless you are retiring after the cur rent project, past projects can help you perfect your skills for future projects. 2. The PPR is the best vehicle for learn ing from past projects 3. Use the PPR to build a picture of yo u rse l f a s a p ro j e c t m a n a g e r. (a) Where do you habitually underestimate or overestimate? (b) What should you h ave d o n e d i ffe re n t l y? (c) W h a t p ro cesses, d a ta , o r p e rso n a l s k i l l s would help you be a better project manager? 4. Tell the truth lying, shading, or coloring what really happened is a waste of precious project time D o n e p r o p e r l y t h e p o s t p r o j e c t review can be one of the most useful and most cost effective tools in IT’s sys tems development arsenal It will also please your dog z
George Tillmann is a retired programmer, analyst, management consultant, CIO, and author
By George Tillmann
hype BY
A SA
E N T
R R O N
JavaScript frameworks are a useful tool for developers because they help developers be more efficient by eliminating the need to rewrite boiler plate code for a new app or download individual libraries. Mozilla describes them as follows in one of its documentation pages: “A framework is a library that offers opin ions about how software gets built. These opinions allow for predictability and homogeneity in an application ”
Why the
SD Times September 2022 www sdtimes com10
L o o k i n g a t a c t u a l s u r v e y s o f J a v a S c r i p t f r a m e w o r k s , t h e r a n k i n g really depends on what criteria you are using to categorize things Take the Stack Overflow surveys as an example, which sorts technologies based on most commonly used, loved vs dreaded, and most wanted
There are many JavaScript frame works out there; You may have heard of t h e p o p u l a r f e w : A n g u l a r, R e a c t , jQuery, Vue js, etc There is not one framework that is best, and a certain framework’s popular ity over another depends on a number of factors, such as current development trends, what developers need, what peers are using, and so on In fact, if you do a Google search for “JavaScript frameworks,” the first several pages of results will likely be filled with articles w i t h t i t l e s l i k e “ To p 2 0 J a v a S c r i p t Frameworks to use in 2022.” And yet each of these articles won’t agree on the order of the rankings (the first few arti cles I looked at had React, Angular, and Vue.js as the number one).
Last year, in the 2021 Stack Over flow developer survey, React surpassed jQuery as the most commonly used framework for the web, with 40% of respondents using it This finding matches up to the sur vey ’ s “Loved vs Dreaded” section which looks at the ratio between developers who love a technology compared to those that dread using it The ratios w e r e a l m o s t f l i p p e d f o r R e a c t a n d jQuery in the 2021 survey, with 69% of d e v e l o p e r s l o v i n g R e a c t a n d 3 1 % dreading it, and 35% of developers lov ing jQuery and 65% dreading it React was also the most wanted framework of the report, with 25% of the developers citing an interest in developing with React. Seventeen per cent want to use Vue.js, 9% want to use Django, 8% want to use Angular, and 7% want to use Svelte. And despite React being the most commonly used and wanted frame work, it’s actually only the fourth most l o v e d f r a m e w o r k , b e h i n d S v e l t e , ASP NET Core, and FastAPI A similar study from Netlify found similar discrepancies based on how they were measuring For example, React was the most frequently used framework, and while it had a high satisfaction rating, Vue js had a higher satisfaction score How a team chooses a framework varies T h e r e ’ s n o t o n e f r a m e w o r k t h a t i s agreed to be the best, but companies find the framework that works best for them and that can depend on a number of factors. Kirsten Anderson, software engineer II at tax compliance company Avalara, cited ease of use for her team’s develop ers as an important factor, and Andrew Bloom, software developer engineer II, at Avalara, added that ease of use, maintainability, and developer friendli ness are high on the list what they look for in a framework Bloom also said that the closer a framework is to vanilla JavaScript, the easier it is for new developers to start using it, which is another selling point “If you know JavaScript, it shouldn’t be too hard to learn a JavaScript frame work,” he said “I think that is some thing that we ’ re looking for ” For example, his team at Avalara uses React and that makes it easier to bring on new developers “More developers, I would say, probably know React than maybe some obscure framework So that’s definitely valuable,” he said According to Jason Lengstorf, VP of developer experience at Netlify, the process for choosing a framework varies based on company size. Smaller teams might have more opportunities to experiment and they’re really trying to solve for agility. Using the newer frameworks can also be a selling point when they’re looking to hire new developers because they can offer the ability to work on something new, where as at a larger company it’s more likely you’ll be working on legacy projects Larger companies, however, don’t typically want to be the first to move on something “Bigger companies are looking for an established framework, something that has a lot of proof points, other compa nies are using it, and there’s a ton of doc umentation experts in the field Just something that they know they’re not blazing trails with because that gets very expensive if you ’ re trying to blaze a trail with a huge dev team,” he said Take React, for example It was developed by Facebook, which gives it some credibility.
“They proved out the model, like look how big we are, how much traffic we ’ re serving, and how complex our app is. And React does all this. So other compa nies looked at that and said, “Oh well, if React can handle Facebook, it can han dle our company, ” said Lengstorf Anderson’s experience echoes that When we spoke, her team was in the p r o c e s s o f s w i t c h i n g t o a d i f f e r e n t framework, and the reason for the switch was that the one they used pre viously was not heavily used and was maintained by a single person, so there was worry about what would happen if that person just stopped maintaining it “So it worked well for us, but we wanted to be sure that there was a lot of support behind the framework that we wanted to use, ” she said web framework J E N N R G BA
If everyone is just using the framework that is most popular, then why is there such a frequent switchup in the most popular framework? Now everyone is using React, but a few years ago Angu lar was the top framework. This is a result of experimenting w i t h n e w f r a m e w o r k s , L e n g s t o r f explained, and it’s also why it’s so impor tant to give developers room and time to work on personal projects. A developer might be using one framework for their work projects, but can experiment with new or different frameworks on their individual proj ects Then, if they really like something, you’ll see them start to advocate for it, and if there are enough of those devel opers advocating for a new project, then it’ll start to gain popularity “And it’s those super early adopters who then start the advocacy internally, which will lead to the next big swing, like React came to popularity I would assume through that form of motion,” said Lengstorf “And I think we would see the same thing happen with what ever the successor to React is going to be It will be a similar thing where some internal advocate is going to drive it up the chain far enough that it becomes used on an enterprise site, and it’ll become a proof point ” Lengstorf also believes there’s an element of people really liking the things they get to choose that drives up satisfaction for those frameworks that they’re using to work on their individual project. He continued: “Typically they’re building for themselves. So it’s a slightly less restrictive set of requirements And they get to experiment and play and it’s super fun, so their satisfaction is really high As these things get adopted, you ’ ve got more and more situations where somebody is not choosing the tech, they’re now being told, ‘this is your tech stack ’ And you have to solve these prob lems that you ’ re not choosing for your self using this tech stack that was chosen for you And that’s where the people start to feel the friction ” This might explain in part why the satisfaction for React has been drop ping down the list of the “Most Loved” frameworks in the Stack Overflow sur vey, where it currently stands at num ber 4 as of the 2021 survey Schedule experimentation time Giving your developers time to experi ment with new frameworks without them having to take time from their own personal time to do so is a good idea.
While some developers might be excited about that and want to try new things, it’s okay if that’s not you “For the average developer who’s not building side projects, who’s not necessarily unhappy with their current suite of tools, this is the sort of thing that when it becomes relevant, you’ll know about it, companies will start shifting their stacks,” Lengstorf said “And if you don’t want to be the one who’s bringing that new stack in, don’t stress about it yet, these frameworks all feel relatively similar to us ” z
“Because I do think that a core part of the innovation cycle is getting the oppor tunity to try things as part of your job, as opposed to saying only people who have spare time to try things in their free time get to innovate or advance ”
train is React jQuery Angular Express ASP.NET Core Vue.js ASP.NET Spring Flask Django Svelte ASP.NET Core FastAPI React Vue.js Express Spring Ruby on Rails Angular Django Angular.js Drupal jQuery ASP.NET Symfony Gatsby Flask Laravel Django Angular
“I would love to see more of that tin kering built in,” said Lengstorf.
always moving
The Stack Overflow Developer Survey looks at a number of different metrics to rank technologies in different ways. Most popular is a measure of how commonly used a framework is, most loved is a measure of the percentage of respondents who enjoy work ing with the framework, and most dreaded is a measure of the percentage of respondents who don’t like working with the framework.
The Most Popular Web Frameworks The Most Loved Web Frameworks The Most Dreaded Frameworks
Source: Overflow Insights
How do new frameworks enter the arena?
Devloper Survey May 2021
www.sdtimes.com September 2022 SD Times 11
One way to facilitate innovation is to actually as a company provide time for that For example, at Netli fy they host hack days where people are given room to experiment “People pull some really mind blowing stuff out,” Lengstorf said “And it’s made huge advancements in our product, including some of the stuff with experimenting with d i f f e r e n t f r a m e w o r k s , d i f f e r e n t tools, so that we can see like, oh, this would actually make a huge impact on our ability to ship.” Ease up on trying new frameworks S o m e t h i n g t h a t d e v e l o p e r s g e t stressed about is this notion of “JavaScript fatigue” that results from new things constantly being released
Stack
BY K AT I E D E E
The observability company New Relic announced that it has joined the Atlass ian Platform Partner Program as part of the Atlassian Open DevOps solution that integrates Jira Software with popu lar DevOps tools. In order to empower developers to access and set up full stack error track ing and software performance monitor ing from inside Jira Software, New Rel ic has integrated errors inbox with Jira Software “As applications grow more com plex, developers need a system in place to proactively fix errors before the cus tomer experience is impacted,” said Peter Pezaris, SVP of strategy and user experience at New Relic “Errors inbox for Jira Software, which builds on the strong history between New Relic and Atlassian, makes developers’ lives easi er by allowing them to get to the root cause faster with full error details including stack traces and alerts whenever a critical, customer impact ing error arises. Ticketing is made easi er, too, as teams can instantly create Jira Software issues with all the right infor m a t i o n , w i t h o u t l e a v i n g t h e i r e r r o r management workflow ” According to the company, this inte gration allows developers to create Jira S o f t w a r e i s s u e s d i r e c t l y w i t h i n t h e errors inbox, the New Relic platform functionality for error tracking Wi t h t h i s , N e w R e l i c h a s a l s o announced the launch of the Jira Soft ware toolchain page, intended to assist teams of developers in discovering and installing DevOps tools in order to improve their practices K e y f e a t u r e s o f t h i s i n t e g r a t i o n include the ability to track, triage, and resolve errors all in one place, the ability to resolve errors before they negatively impact users, heightened cross team collaboration, and the ability to create Jira Software issues with one click “Atlassian and New Relic share a vision to improve the developer experi ence by meeting users where they are and allowing them to use the tools they know and love,” said Bryant Lee, VP of partnerships and developer experience at Atlassian “We are excited to include New Relic errors inbox as an app in the Jira Software toolchain page, which makes it easier for millions of users to discover and connect DevOps apps used throughout the software development lifecycle to fill gaps in the toolchain as their DevOps practices evolve.” z
The hosted Argo platform is now accessible at no cost for community p r o j e c t s , i n d i v i d u a l s , a n d s m a l l e r DevOps teams looking to gain access to GitOps best practices for quick, reli able, and secure software delivery in the cloud Codefresh’s managed Argo CD plat f o r m c o m e s a s a f e a t u r e c o m p l e t e GitOps software delivery solution It is intended to eliminate the need for installation, maintenance, or home grown custom integrations to work with popular DevOps tools and, according to the company, the managed instances are ready for deployment in seconds “Codefresh has demonstrated to enterprises of all sizes the value inherent to Argo CD, and this value is built atop a sustained commitment from Codefresh and the community to cultivate Argo and GitOps for the future,” said Raziel Tabib, co founder and CEO of Codefresh “To empower everyone with this capability is the fullest expression of our commitment to open source innovation ” Codefresh also said that by leverag ing open source Argo in a code to cloud solution, users gain access to h e i g h t e n e d v i s i b i l i t y i n t o C I / C D deployments as well as an easy to use framework for implementing GitOps Additionally, Argo offers users a scal able solution for large teams that are working to target multi cluster, multi application deployments
Codefresh makes GitOps more accessible with Argo service
BY K AT I E D E E
Codefresh, the company that offers a GitOps platform for cloud native apps, announced that it is democratizing GitOps with Argo for all users with the availability of its hosted continuous deliv ery (CD) platform providing Argo as a service
The platform is also fully compatible with continuous integration offerings such as Jenkins and GitHub Actions, as well as Codefresh CI z
S o u r c e : N e w R e l i c
SD Times September 2022 www sdtimes com12 D E V O P S WATC DH E V O P S WATC H
New Relic introduces integrations with Jira
/ What lies ahe will discussseasaInth YA C< ad for this industry? In what w s this among other emerging tr taaS has wograms. Pecurity pr an emerging technology that helps businesses strategically mitigate risk and run eff itie latest BERSECURI Hype Cycle for Secur olve, avve, eoways can we impr rends in the context of security o won acclaim as a modern way to pentest. PtaaS Ex elps Ptatner lists, Garty Ope TWORY NET rations nd prepare? How do we measure ROI? verall: How has infosec changed?y o changeo pentest. PtaaS Ex ective vice,, AKA Pentest as a Ser, VENTKING ER aaS ure nged?ROI? />T sfraanrancisco boston chiccago ncity orkw yne austin berrlin the q u btheyo We'lfllfoodquestionsbring,bring.s company’s competitive eyour onntain a strandhatmaiwith industry lec k shop withCome tal dgempetitive ogram that honesty prng securi uss how to buildeaders, and disc velopmenurity and desecalh loc ntd peers,
oustU mer
“I would much prefer to miss a deadline, deliver a week later but be far more confident that what we’re delivering is on target with what the users need and what the business objectives of that product are,” he said Josh Koenig, co founder and chief strategy officer at the WebOps platform Pantheon, said that he believes UI/UX testing is absolutely critical when it comes to cus tomer satisfaction and retention because of the compet itive edge that it offers “Differentiating by delivering a good customer expe rience, whether that is in the early stages of discovery and learning, or in the latter stages of delivery and cus tomer service, it really matters,” Koenig said He expanded on this, saying that a strong investment in UI/UX testing helps organizations to exceed expecta tions, creating loyalty among existing users while also enticing new ones Jason Buhle, director of UX strategy at the UX research solution company AnswerLab and a lecturer in the online master of science in applied psychology pro gram at the University of Southern California, shared these beliefs He said, “It is important to do that evaluative testing so there’s not these frustrations that today will quickly drive people to another solution it’s not like the old days where you buy some expensive software and you’re kind of stuck with it, now you would just go use some thing else ” Dan Giordano, senior director of product marketing at the end to end software testing company, Appli tools, also spoke on the positive impact that robust UI/UX testing practices have on both customer satisfaction and retention“Ithink modern consumers have a level of standard that they expect when using an application or a website that is built from a large brand,” Giordano said. “And I think that the level of design that organizations do and the amount of effort that we’ve been putting towards it has really been raised a level in the last few years.” He credits much of the heightened empha sis on UI/UX testing in the last few years to the COVID 19 pandemic and the increased need for busi nesses to provide customers with visually pleasing and easy to use applications and websites Challenges with UI/UX testing Given this, the importance of UI/UX testing cannot be overstated However, despite this recognition, many organizations are still missing the mark with their cur rent testing practices According to the 2022 State of UI/UX Testing Report conducted by Applitools, a key reason that many compa nies struggle to keep up with UI/UX testing while also maintaining the velocity of feature releases is that more than half of them are still relying on manual testing prac tices to validate applications
BY K AT I E D E E
He explained that when organizations fail to make this investment and instead prioritize release deadlines, they are actually adding time to their schedule in the long run, while also risking losing customers to competi tors that offer better UI and UX.
Regardless of the industry, every business needs one thing to ensure its overall success and longevity: loyal and happy customers However, it seems that organizations often find themselves too caught up in accelerating the delivery of new features and meeting release deadlines, resulting in lackluster user experience (UX) With a steady investment in strong UI/UX testing practices, though, businesses can provide their users with the best experience possible while also maintaining their pace for feature delivery UI/UX and customer satisfaction Brent Stewart, senior director analyst at Gartner, emphasized the importance of UI/UX testing when it comes to customer satisfaction
ole ofe oin cu ole
SD Times September 2022 www sdtimes com14
test facga on www.sdtimes.com September 2022 SD Times 15
Buhle also said that the biggest challenge facing organizations right n o w i s m a n a g i n g t h i s h e i g h t e n e d demand and increased complexity “If I had to pick just one the problem is always finding the time and resources to fit testing in, in these increasingly fast moving envi ronments The world is moving faster continued on page 16 >
The survey revealed that due to the rapid evolution of technology, older testing practices are failing to keep up with the quality engineering demands for their digital products and services, which is why many organizations find themselves stuck “ We h a v e s e e n c h a n g e s e i t h e r from the business side in applications or from the development side occur multiple times a day,” said Giordano “ 7 2 % o f r e s p o n d e n t s h a d t h e i r biggest challenge around constantly changing UI UI frameworks and UI libraries have made changes that may have been a huge design haul in the past and may have taken months but can now take days and testing and keeping up with that I think is the biggest challenge ”
The right way to automate When automating these testing processes with AI, though, it has to be done in a very intentional and patient way to ensure nothing slips through the cracks. Giordano said that managing ambition and starting with a small section of an application where automation is necessary and then slowly building out components from there is the best method when it comes to this process.
“You then have an AI augmented analysis process that allows you to come to reliable findings and then generate stronger recommendations faster, so it reduces the level of effort significantly,” he said. z
Jason Buhle, director of UX strategy at the UX research solution company AnswerLab and a lecturer in the online master of science in applied psychology program at the University of Southern California, said that since UI and UX is all about an individual’s experience, the research and tests should be done by people rather than delegated to an AI tool. “I’m sure there are some opportunities… but I think it’s pretty rare that that is super useful,” he said. “What you usually need is to see more subtlety in the challenge and you need to understand the why... so I’m less enthusiastic around unmoderated testing [with AI].” Brent Stewart, senior director analyst at Gartner, said that based on his research, manual testing is still the most prevalent method among organizations.
Koenig, however, believed there to be a challenge even more pervasive than this. He said the biggest challenge is that organizations are approaching UI/UX testing in a siloed manner rather than as one part of a larger whole.
However, he went on to say that the analysis piece of the testing process is a place where a good amount of automation can actually be helpful.
He also mentioned that the increased complexity of websites and applications has made it difficult to find qualified researchers and testers who are fully able to manage the breadth of what UI/UX testing and user satisfaction now entails, adding another layer to this issue.
AI in UI/UX testing
SD Times September 2022 www.sdtimes.com < continued from page 15
“You don’t want to be consistently developing the same date picker or the same button scheme but re-coding and re-designing it every time,” he explained. “When you use a shared component system, you can test that really early on and be quite confident that when you use that button system in your particular UI that you’re building out, it’s going to be tested and consistent.” z
According to Koenig, a siloed approach to testing will inevitably lead to balls being dropped and mistakes being“Bymade.constantly trying to push back against other organizational imperatives with the results of their research… you end up with people arguing over what the priority is, but if you’re doing it right, that problem dematerializes because UI/UX testing is embedded in,” said Koenig.
“The single most common test that is done is usability testing… these are things that need to be configured by an individual,” Stewart said. “They need to be set up by someone who is informed about the business and research objectives of that inquiry… so it is still very human centric.”
He said that if a team approaches testing as its own island, separated from the other aspects of the development lifecycle, their system is inherently broken and it will fail to yield good results.
“It is really comforting when you start to have successful tests created and ran,” he said. “Then when you’re developing against those and they start to catch bugs it can really boost confidence for the whole product organization that testing is a worthwhile endeavor… so I think that starting small and growing is huge.” Along with the automation of UI/UX testing, Giordano also believes that investing in a good design system is crucial to maintaining velocity.
16 every day so I would say that is the biggest challenge,” said Buhle.
The positives of automation in UI/UX Giordano went on to discuss the ways in which the introduction of AI and automation can be a powerful tool in managing the increased UI/UX testing complexity.Giordano explained that AI can help to create a way to maintain and update tests that requires little to no human intervention.“Notjustlooking at self-healing tests in an object oriented way… but more in a visual way where we can understand, not only things at the code level, but also at the UI and presentation layer and understand where things break without you needing to really run another test,” Giordano explained. On top of the time saving benefits, he said that this also offers developers autonomy as changes that they were previously okay with can be made with a one-click update rather than having to re-test.
Stewart explained that there are tools out there that can look at recorded research and then identify any trends that pop up, sparing researchers from having to manually pour over several hours of recorded research.
sparxsystems.com RE NGA M A E GE O L SHDE Modeling and Design Tools for Changing Worlds Enterprise Architect Version 16 NEW UML ® | BPMN ® | BPSim | BPEL | DMN ™ | Google ® & AWS ® Icon Sets | TOGAF ® | Zachman ® XSD | ArchiMate ® | MARTE | SysML | NIEM ™ | BABOK ® | BIZBOK ® | BMM ™ | CMMN ™ | Code | DataBase | IFML ™ | GML ODM ™ | Schema | SoaML ™ |SOMF ™ | SPEM ™ | UAF | UBL | UPMC | VDML ™ | *More
A wide variety of APIs
While on the one hand, API manage ment problems stem from the sprawl of APIs, the other problem is that the plat forms that these companies are using were built around the concept of a sin gle gateway, according to Mark O’Neill, a VP analyst and chief of research for software engineering at Gartner.
There’s a wide range of APIs that compa nies use to carry out business tasks on a daily basis: internal APIs to represent coarse and fine grained service inter
Fifty one percent of respondents said that more than half of their organ izations’ development effort is spent on APIs compared with 40% of respon d e n t s i n 2 0 2 0 a n d 4 9 % l a s t y e a r, according to the 2022 State of the API Report that surveyed 37,332 developers and API professionals and included aggregated data from the Postman API P l a t f o r m o v e r a p p r o x i m a t e l y f o u r weeks in June and July 2022
BY JA KU B L E W KO W I C Z
“[With a single gateway], you put an API gateway in your architecture, and you try to funnel your API traffic through that gateway and the problem with that architecture is, when organiza tions have lots of different teams and applications that are producing and con suming APIs, there's no one place to put the gateway,” O’Neill said In its recent Magic Quadrant, Gart ner included API management tools that weren’t tied to a particular gateway to the surprise of some people
“The reason for that is because we now see this multi gateway world being a reality We hear people talk about what we would call the ‘Bring Your O w n G a t e w a y ’ m o d e l , w h e r e y o u already have a gateway, but you need the API lifecycle management that goes with that,” O’Neill added.
“This year, we found not only are m o s t o r g a n i z a t i o n s ’ d e v e l o p m e n t efforts focused on APIs, but firms that go even further and establish an API first approach tend to outperform and have a more optimistic business out l o o k . A s o r g a n i z a t i o n s n a v i g a t e a n uncertain economy, API first strategies are becoming the backbone that allows organizations to respond rapidly and seamlessly,” said Abhinav Asthana, co founder and CEO of Postman Despite two thirds of C level execu tives in the study thinking that the econ omy is turning sour, the vast majority say that API investment is par for the course and will even grow in the next year This vast expansion has led compa nies to be more API consumers than producers, which has amped up the need for API management to handle many of the tasks surrounding APIs more than ever before If Plato had to decide what the ulti mate Form of API management is, it would probably be something along the lines of a process that oversees all APIs in a secure, scalable environment with tools and services that enable develop ers to build, deploy, secure and manage APIs. However in practice, this has proven to be very difficult So much so that Gartner research estimates that by 2025, less than half of enterprise APIs will be managed, as explosive growth in APIs surpasses the capabilities of API management tools and “security controls try to apply old paradigms to new problems ”
At the same time, some of the tradi tional API management vendors start to add at least verbal support for other gateways. All in all, the two things that are essential to managing API security are strong inventory and real time discov ery to gain visibility into APIs Although there are some specialized security con trols, their API discovery features are limited and don’t have the application logic awareness to create relevant secu rity policies, according to Gartner’s research “For APIs, this means that applica tion security teams will deploy perime ter controls with threat inspection capa bilities, but will be limited to generic policies and detection signatures,” the research stated The API management tools that are so focused on a single gateway actually leave many APIs exposed.
Security a concern for API management
In a lot of scenarios in a typical mod ern web application stack where one has their front end using React, Angular, or another front end framework and a lot of APIs in the back end, there usually isn’t a gateway in between, O’Neill explained Although it would not make sense to put a heavyweight gateway there, those APIs often are falling victim to attack because people reverse engi neer the front end, and they directly access the APIs In many cases of breaches, affected APIs were not even going through an application firewall
Buyers Guide Security and inte gration are key concerns
The use of APIs has skyrocketed over the years and with organiza tions using so many different types of APIs on a normal basis, API management has become essential for managing the API attack surface
18 SD Times September 2022 www.sdtimes.com
Integrating APIs can be tricky as users must first define inputs and outputs, and may also have to configure the authenti cation settings It can also be a barrier to entry for non technical users Demands for API integration in highly regulated industries have had a big impact in driving the usage of APIs, according to O’Neill
19www.sdtimes.com September 2022 SD Times for
faces, data elements, and private and public APIs. Most organizations are also net consumers of APIs, notably third party APIs while convenient, these can pose security and dependency issues. By 2025, Gartner predicts that the percentage of third party APIs used in applications will average 30%, up from less than 10% in 2021, complicating dependency management “The first thing you should do is get visibility of your APIs and understand the attack surface by discovering all your APIs,” O’Neill said Then there are really two choices, O’Neill explained One is to put API gateways everywhere and the API man agement vendors are adapting to this by adding the functionality where they can have distributed API management The other approach is to tell developers that they’re free to use the API gateway that comes with the platform that they’re building the APIs on, whether that’s the Amazon API Gateway, Azure API Gate way, etc.
Another challenge with API man agement is that getting higher ups on board to invest in API security can be a hard sell for software engineering lead ers Many organizations continue to believe that general purpose API man agement tools sufficiently address API security By the time the security team gets funding and builds an RFP for a p r o d u c t , h u n d r e d s o f A P I s m i g h t already be in production, Gartner’s research continued The lackadaisical security surround ing APIs are also ironically the strength of APIs that led them to be so popular in the first place according to O’Neill “So it's like a Greek or Roman tragedy in that APIs are designed to enable quick and easy access to data or access to appli cation functionality. But from a security point of view, of course, those are con cerns. If you're making it easy to access your data and application functionality, then the worry is you're making it easy for malicious entities to access your data and your applications,” O’Neill said Not just a developers’ game
“ T h e m o s t f a m o u s i n s t a n c e i s around open banking So it started in the UK and Europe and then in many other parts of the world there have been open banking regulations Num ber one, that required banks to have APIs and then of course being banks they’re naturally concerned about secu rity,” O’Neill said. “But then also, many of the regulations have quite complex requirements for how the access to the APIs is managed. Open banking is all about putting the customer in charge of h o w t h e i r b a n k i n g i n f o r m a t i o n i s accessed. That brings in the standards like OAuth and OpenID Connect, so it drives the usage of API management products that support those ” In the healthcare industry, the Unit ed States requires healthcare payers and providers to have API based inte grations as well This is another field where there is a big focus around secu r i t y, p a r t i c u l a r l y r e l a t e d t o p r i v a c y where APIs are being used to access customer information
Integration is key
The 2022 State of the API Report found that there was an almost even split with developer and non developer roles as to who worked with APIs in an organizationFullstac k d e v e l o p e r s w e r e t h e largest single group at 25% of respon dents, down slightly from last year’s 27% Backend developers showed a bit stronger representation at 19%, com pared with 17% in 2021 “Historically, it has been develop ment teams either the developers themselves would make the choices regarding API management, or the organization has had an API Center of Excellence, an overall API platform team, or sometimes that would be part of it a digital team that managed the APIs,” O’Neill said More recently, security teams have realized that APIs are a major point of weakness and vulnerability “They are telling us that they want to take control of API security They don't trust that either the developers or the API teams, such as API Centers of Excellence, are strong enough on securi ty, to protect APIs,” O’Neill said
“Open banking and healthcare regu lations continue to move around the world and become more mature And that's been a big driver of API manage ment,” O’Neill said z API management
The biggest factor in companies deciding whether to consume or produce APIs, according to the 2022 State of the API report, is how well they integrate with internal apps and systems This corre sponds to the report’s finding that the number of integrated APIs across enter prise teams has jumped twentyfold “As more companies recognize APIs as the building blocks of modern soft ware, API tools and services are evolving to meet their needs These offerings span the API lifecycle, including design, testing, and security They also include repositories for source code, API gate ways, application performance monitor ing, and CI/CD all of which must inte grate with API platforms to achieve optimal results,” the report stated.
n Kong delivers a next generation API and service life cycle management platform designed for modern architectures, includ ing microservices, containers, cloud and serverless. Kong is building the future of service control platforms to intelligently broker information across services.
n Cloud Elements delivers an API integra tion platform on three pillars: “Elements” unify APIs with enhanced capabilities for authentication, discovery, search, error handling and API maintenance “Formulas” combine those Elements to automate busi ness processes across applications “Virtual Data Hubs” provide a normalized view of data objects
• The ability to simplify and accelerate the adoption of your own APIs n Red Hat 3scale API Management gives control, visibility and flexibility to organiza tions seeking to create and deploy an API program It features comprehensive securi ty, monetization, rate limiting, and commu nity features that businesses seek backed by Red Hat’s solid scalability and perform ance n SmartBear Software empowers users to thrive in the API economy with tools to accelerate every phase of the API life cycle SmartBear is behind some of the biggest names in the API market, including Swag ger, SoapUI and ReadyAPI With Swagger’s easy to use API development tools, Soa pUI’s automated testing proficiency, Alert Site’s API monitoring and ReadyAPI’s mocking and virtualization capabilities, users can build, test, share and manage the best performing APIs
Features include request/response trans formations, API traffic control and produc tization, OAuth2 authentication support, advanced API analytics, threat detection, and the developer portal.
n Microsoft’s Azure API Management solution enables users to publish, manage, secure and analyze APIs in minutes It fea tures the ability to create an API gateway and developer portal quickly, ability to manage all APIs in one place, provides insights into APIs, and connects to back end services
n Apigee is an API management platform for modernizing IT infrastructure, building microservices and managing applications.
n Postman is a collaboration platform for API development, used by more than 7 mil lion developers and 300,000+ companies worldwide. Postman allows users to design, mock, debug, test, document, monitor, and publish APIs all from one place.
n CData: Connect, Integrate, and Auto mate your enterprise data At CData, we simplify connectivity between all of the applications and data sources that power business operations, making it easier to unlock the strategic value of your data By focusing on established standards for data access, our solutions plug into all of the business applications that you use today
• Reduced time/effort to adopt APIs and services
The platform was acquired by Google in 2016 and added to the Google Cloud. It includes gateway, security, analytics, devel oper portal, and operations capabilities.
• Reduced risk of vendor lock in and poor data quality
n SnapLogic Lifecycle API Management is an end to end solution designed for manag ing, scaling and controlling API consump tion quickly, seamlessly and securely.
n CA Technologies, a Broadcom company, helps customers create an agile business by modernizing application architectures with APIs and microservices Layer7 API Man agement provides the most trusted and complete capabilities across the API life cycle for development, orchestration, secu rity, management, monitoring, deployment, discovery and consumption ”
A guide to API management tools
With Autonomous REST Connector organizations can expect:
n Akana by Perforce provides an end to end API management solution for design ing, implementing, securing, managing, monitoring, and publishing APIs. The Akana API Platform helps you create and publish secure, reliable APIs that are elegant, easy to consume, built the right way, and running as they should be to improve the customer experience and drive growth in your busi ness.
• Continued value from existing analytic and reporting tools when moving to APIs and services
n TIBCO Cloud Mashery is a cloud native API management platform that can be deployed anywhere, either as a SaaS serv ice or containerized in cloud native and on premise environments. Mashery delivers market leading full life cycle API manage ment capabilities for enterprises adopting cloud native development, and its capabili ties includes API. z
n IBM API Connect on IBM Cloud is an API life cycle management offering that allows any organization to secure, manage and share APIs across multi cloud and hybrid environments.
n Nevatech Sentinet is an enterprise class API management platform written in NET that is available for on premises, cloud and hybrid environments Sentinet supports industry SOAP and REST standards as well as Microsoft specific technologies and includes an API Repository for API Gover nance, API versioning, auto discovery, description, publishing and Lifecycle Man agement
20 SD Times September 2022 www.sdtimes.com
n MuleSoft’s Anypoint API Manager is designed to help users manage, monitor, analyze and secure APIs in a few simple steps The manager enables users to proxy existing services or secure APIs with an API management gateway; add or remove pre built or custom policies; deliver access man agement; provision access; and set alerts so users can respond proactively
n Boomi’s API management solution pro vides a unified and scalable, cloud based platform to centrally manage and enrich API interactions through their entire life cycle With Boomi, users can rapidly config ure any endpoint as an API, publish APIs on premises or in the cloud, manage APIs with traffic control and usage dashboards
n Oracle‘s API Platform Cloud Service pro vides an end to end service for designing, prototyping, documenting, testing and managing the proliferation of critical APIs.
n The Progress DataDirect Autonomous
REST Connector offers intelligent data con nectivity to API sourced data from SQL based applications such as BI, Analytics, and ETL tools
Security should encourage their adoption but safely. That starts with a risk assessment to deter mine if it’s a “connected” platform. If it is, then ver ify the credentials used to connect to third party services Ideally, they are service accounts and not ordinary users
The data entered using these components stays on the platform, making it easier to analyze from a security per spective Ultimately, these com ponents aren’t that much differ ent from any other SaaS platform in use So, let’s label low code / no code platforms that only have components like this contained. What really sets this new wave of tools apart from the previous generations is the cloud. The cloud has made APIs (application programming interfaces) the norm.
But as with any new technologies, there can be increased risks. Should you be concerned about the security of low code/no code platforms?
Low code / no code is a win for the business overall and a win for the CIO because these platforms empower business teams to solve their own prob lems.
Connected platforms make direct connections to other services either data input or output or both
ow code/no code platforms address the increasing demand for customized IT solutions by letting those closest to the issue build the solution
Your next step is to research and enable any log ging for the platform and its connections It’s criti cal that you maintain and even expand visibility into the activities on these platforms That visibility is likely going to be your only security control to respond to data breaches or exposure issues
As that record is created, the app connects to Salesforce and creates an opportunity in your sales workflow, automatically assigning an account man ager It then checks with your email marketing tool to look for this contact Discovering they are already in the marketing funnel, it moves them to a different path in order to avoid overwhelming them
Connected risks A connected platform means that you ’ re now los ing visibility into where your data is being stored and processed
Two types of platforms
Should you be concerned about the security of low-code/no-code platforms?
That’s a win for your business z
The first step in any risk assessment is determining the desired functionality of the tool This often leads to areas that need more investigation Low code / no code platforms provide a variety of components that can be assembled into a customized solution things like text boxes, date/time pickers, number inputs, and more
These tools provide a set of building blocks that any one can connect together to solve a problem.
T h a t n a t u r e o f l o w c o d e / n o c o d e m e a n s t h a t c o n n e c t i o n s t o t h i r d p a r t y s e r v i c e s a r e o f t e n d o n e w i t h a n i n d i v i d u a l ’ s c r e d e n t i a l s i n s t e a d o f a s e r v i c e a c c o u n t . T h i s m e a n s t h a t “ M a r k ” h a s m a d e a c o n n e c t i o n b e t w e e n t h e c u s t o m a p p a n d t h e o t h e r s e r v i c e , r e g a r d l e s s o f w h o ’ s a c t u a l l y u s i n g i t This lack of granularity can mean big challenges for security The team no longer has visibility into who is accessing that data, as all access is logged under that one user if it’s logged at all S e c u r i t y h a s l o n g s t r u g g l e d t o g a i n v i s i b i l i t y i n t o w h a t ’ s h a p p e n i n g i n t h e c o m p a n y ’ s I T e n v i r o n m e n t Wi t h t h e r a p i d a d o p t i o n o f t h e s e p l a t f o r m s , i t ’ s l i k e l y t h a t t h e r e w i l l b e s i g n i f i c a n t v i s i b i l i t y g a p s u n t i l t h i s s p a c e m a t u r e s t o m e e t e n t e r p r i s e n e e d s How to adjust
SD Times September 2022 www.sdtimes.com
Mark Nunnikhoven is Distinguished Cloud Strategist at Lacework
The 65% of all application development that Gartner predicts will happen on these platforms in the next few years doesn’t mean a move away from traditional development It’s a wave of new devel opment as these platforms remove barriers allow ing more people to solve their problems
Is low code a security risk?
22 Guest View B Y M A R K N U N N I K H O V E N L
If you consume data from a service like Marke to in your custom app and then send that data to another outside service, what’s the risk? You often won’t know. And that is in and of itself, the risk.
Let’s imagine a scenario where your team is at an event They’re talking to a potential customer, then ask for some information to enter into your low code / no code app
l Value-added skills: These skills represent the next level of Agile maturity.
www.sdtimes.com September 2022 SD Times 12 essential skills for
4. User stories. User stories in Agile develop ment shift the focus from writing requirements to addressing customer needs A user story contains a short description of a feature from the perspective of the role desiring the new capability
7. Continuous learning. A key tenet of agility is that practitioners be open to learning new skills not just from project to project, but also as part of a lifelong learning process. Multiskilled individuals enable teams to quickly solve problems and achieve better business outcomes.
he demand for experienced developers skilled with Agile processes and practices has reached a critical point due to significant growth in Agile adoption, up from 37% in 2020 to 84% in 2021 per the 15th Annual State of Agile Report. Agile application developers should not wait for continuing external factors to drive the evolution of their skills; instead, they should proactively explore, identify, and learn skills to improve their ability to deliver business value. Twelve skills are critical for Agile application development teams to drive digital business l Core skills: These skills are fundamental to Agile app dev Keep in mind that not every devel oper needs to be an expert in every area, as Agile teams are cross functional and rely on multiple individuals’ skills
1. Scrum. Scrum is the dominant Agile frame w o r k , p r o v i d i n g a n i t e r a t i v e a n d i n c r e m e n t a l approach for solving complex problems Small col laborative teams typically deliver work in short iterations (sprints) of about two weeks
Agile application developers should not wait for continuing external factors to drive the evolution of their skills. agile devs
5. Customer focus. Product development must become customer centric, with developers getting closer to their customers using user per sonas, customer journey mapping, in depth inter views and usability testing
8. Collaborative development. In collabora tive development, more than one team member works on a single feature or application at any giv en time This can benefit teams by providing a built in mechanism for code review, reducing development cycle time and broadening skill sets as teammates learn from each other 9. Ownership and collaboration. Small, self directed, autonomous teams collaborating to build solutions only succeed when all members of the team commit to a set of shared val ues, such as focus, courage, open ness, commitment and respect 10. Agile architecture. Tradi tional approaches to software architecture do not support an Agile development life cycle Inflexible monolithic applications, architectural complexity and technical debt burden development teams, impede agility and frustrate users. Component based architectures provide greater development agility, increased deployment flexibility and more process scalability.
12. Scaling Agile. Expanding the validated suc cess of Agile pilots to the broader enterprise is both challenging and rewarding for organizations Agile practices will not only benefit other development teams but also infrastructure and operations, enter prise architecture and security by reducing risk, improving business outcomes and increasing pre dictability z
3. Metrics. Successful app dev teams objec tively measure and analyze their software develop ment processes.
23 Analyst View B Y B I L L H O L Z
2. Kanban. Kanban is a method for visualizing, managing and continually improving a process' ability to deliver a service It is a pull based delivery flow system that exposes constraints, creates flow by limiting the amount of work in progress and sig nals when capacity is available to start new work.
T
6. Test first. Test first practices like test driven a n d b e h a v i o r d r i v e n d e v e l o p m e n t e n s u r e t h a t application developers build the right software the first time With the additional reuse benefits of val idation and documentation, creating tests before writing the code provides exceptional value to the development process
l Specialized/emerging skills: These skills represent potentially significant, game changing processes and practices for Agile developers
1 1 . A g i l e d a t a b a s e m a n a g e m e n t . A g i l e teams quickly find that database changes become a constraint that limits velocity To increase the speed of delivery, cultivate database management skills to become more self sufficient and reduce dependence on database administrators
Bill Holz is a research VP at Gartner, Inc focused on software development methodologies and web development
A recent survey of SD Times print and digital subscribers revealed that their number one choice for receiving marketing information from software providers is from advertising in SD Times Software, DevOps and application development managers at large companies need a wide angle view of industry trends and what they mean to them. That’s why they read and rely on SD Times Isn’t it time you revisited SD Times as part of your marketing campaigns? Reach software development managers the way they prefer to be reached For advertising opportunities, contact SD Times Publisher David Lyman +1 978 465 2351 • dlyman@d2emerge com